wifi: mac80211: fix crash in beacon protection for P2P-device

stable inclusion from stable-v5.10.148 commit 58c0306d0bcd5f541714bea8765d23111c9af68a category: bugfix bugzilla: 187817, https://gitee.com/src-openeuler/kernel/issues/I5VMMW CVE: CVE-2022-42722 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=58c0306d0bcd5f541714bea8765d23111c9af68a -------------------------------- commit b2d03cab upstream. If beacon protection is active but the beacon cannot be decrypted or is otherwise malformed, we call the cfg80211 API to report this to userspace, but that uses a netdev pointer, which isn't present for P2P-Device. Fix this to call it only conditionally to ensure cfg80211 won't crash in the case of P2P-Device. This fixes CVE-2022-42722. Reported-by: N Sönke Huster <shuster@seemoo.tu-darmstadt.de> Fixes: 9eaf183a ("mac80211: Report beacon protection failures to user space") Signed-off-by: N Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>i Signed-off-by: N Dong Chenchen <dongchenchen2@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Wang Weiyang <wangweiyang2@huawei.com> Reviewed-by: N Liu Jian <liujian56@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

wifi: mac80211: fix crash in beacon protection for P2P-device
stable inclusion from stable-v5.10.148 commit 58c0306d0bcd5f541714bea8765d23111c9af68a category: bugfix bugzilla: 187817, https://gitee.com/src-openeuler/kernel/issues/I5VMMW CVE: CVE-2022-42722 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=58c0306d0bcd5f541714bea8765d23111c9af68a -------------------------------- commit b2d03cab upstream. If beacon protection is active but the beacon cannot be decrypted or is otherwise malformed, we call the cfg80211 API to report this to userspace, but that uses a netdev pointer, which isn't present for P2P-Device. Fix this to call it only conditionally to ensure cfg80211 won't crash in the case of P2P-Device. This fixes CVE-2022-42722. Reported-by: N Sönke Huster <shuster@seemoo.tu-darmstadt.de> Fixes: 9eaf183a ("mac80211: Report beacon protection failures to user space") Signed-off-by: N Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>i Signed-off-by: N Dong Chenchen <dongchenchen2@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Wang Weiyang <wangweiyang2@huawei.com> Reviewed-by: N Liu Jian <liujian56@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
5b721b7b · Johannes Berg · Zheng Zengkai · b3297e99 · 5b721b7b
显示空白变更内容
内联并排

Showing with 7 addition and 5 deletion

net/mac80211/rx.c net/mac80211/rx.c +7 -5

未找到文件。
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1976,6 +1976,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
 		if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
 		    mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
 				   NUM_DEFAULT_BEACON_KEYS) {
+			if (rx->sdata->dev)
 				cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
 							     skb->data,
 							     skb->len);
@@ -2126,7 +2127,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
 	/* either the frame has been decrypted or will be dropped */
 	status->flag |= RX_FLAG_DECRYPTED;

-	if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE))
+	if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE &&
+		     rx->sdata->dev))
 		cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
 					     skb->data, skb->len);